Shuhao, Apt keys and packages typically aren't provided over HTTPS - even by the distribution itself (see /etc/apt/sources.list). There is no transport security but the the packages are signed which provides a generally agreed upon adequate level of security. There is some discussion here[1] that details why HTTPS doesn't offer much security for this process. As a quick pass I looked at a dozen other projects that all follow the same pattern with respect to both keys and packages.
Cheers, Seth Thomas [1] http://askubuntu.com/questions/146108/how-to-use-https-with-apt-get On Wed, Nov 13, 2013 at 4:31 PM, Shuhao Wu <[email protected]> wrote: > Hi, > > I just came across the instructions to install Riak again and I think > there's some insecurities with the instructions. > > On this page[1], there is a line that suggests we should do this: > > curl http://apt.basho.com/gpg/basho.apt.key | sudo apt-key add - > > This is not https and should be. Additionally, an https version of > apt.basho.com does not seem to be available. > > [1]: > http://docs.basho.com/riak/latest/ops/building/installing/debian-ubuntu/ > > Cheers, > Shuhao > > _______________________________________________ > riak-users mailing list > [email protected] > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com >
_______________________________________________ riak-users mailing list [email protected] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
